security research: bad news, good news
TRANSCRIPT
Security Research: bad news, good news.
Dr Ian Batten, University of Birminghamhttps://igb.batten.eu.org/
1
Who am I?• Lecturer at University of Birmingham School of
Computer Science• Formerly (until 2010) Head of Information
Assurance for a telecoms manufacturer, amongst other things in a 22-year industry career.
• Full time PhD 2010–2014, making my mid-life crisis longer and more expensive than most.• I should have just bought a motorbike: I’ve got a
full licence already.
2
• Security in most businesses could be better, and there are genuine attacks being carried out successfully by opponents of greater and (usually) lesser skill.• Probably not on the scale that is sometimes claimed• Often internal attackers exploiting poor internal controls.• And the rest are mostly old frauds made more powerful, or easier to do
remotely, by new technology. • The technological vulnerabilities are old, too: the Talk-Talk vulnerability was
older than the hacker accused of exploiting it.• We tend to worry about the exotic and exciting, when the threats are usually
much more mundane. As the NCSC CTO says, it’s not about black-clad cyber ninjas who can break into your machines by thought power alone.
• We can raise the bar to make the lower-skill attacks uneconomic, in the same way we can avoid leaving the keys in the ignition of our cars.
• Cars have become more secure straight from the showroom: much less market for Krookloks. IT needs to do the same.
My proposition
3
What you hear• Every week, there are new announcements of
failures in security systems• Last week alone, “WiFi is broken” and
“Smartcards are broken”• It’s important to remember that an attack which is
interesting to researchers may not be as serious as it sounds for end-users• Particularly if your knowledge comes via the
general media.
4
What do researchers want?• For academic security researchers, vulnerabilities are
vital. The vulnerability, its analysis and its counter-measures are each a paper at a conference; three papers plus an introduction and a conclusion makes a PhD you will have no problem getting awarded.
• It doesn’t matter if the attack is impractical, uneconomic or of little practical importance, it may have other implications in the academic security research world.
• But the real-world impact may be very different.
5
What do criminals want?• Most want money• Some want fame for themselves or their “cause”• Some want the admiration of their peers• Some might be sociopaths who enjoy the damage• Very, very few think “I want a paper at CSF so
that I can further my post-doctoral research career”. • A lot of attacks only make sense in that context.
6
For example• There are a range of attacks against contactless payment
schemes• But these attacks are quite difficult to pull off, hard to monetise
and require large amounts of equipment. • Equipment which would be hard to explain to the police or a
jury as having a legitimate purpose, too.• Which is why the initially-predicted volume of attacks on
contactless payment just haven’t happened: it’s not worth the criminals’ time, assuming their motive is money rather than citations for their new publication.
• As the limit on transactions is £30, the typical criminal is better off stealing razors from supermarkets.
7
Yes, Razors
8
Each took an average of £105 of goods, according to the survey commissioned by Group 4 Securicor. Supermarkets are regarded as the easiest place for shoplifting by 21% of people, followed by garden and DIY centres. But what do they take? Top of the list are razor blades, according to the research.
Law Abiding Criminals• Few academic security researchers have criminal records. Doing
a PhD is pretty much the definition of having been law-abiding for all of your life.
• They therefore do not compare the economics and risk-reward of their work with the economics of shop-lifting.• And by economics I include risk/return and opportunity cost.
• They do, however, often have a slightly odd “victim-blaming” attitude to computer crime, which is somehow different to housebreaking.
• I call this the “law-abiding criminal” fallacy: assuming we face opponents who are willing to break the Computer Misuse Act, but not steal razor blades from Aldi.
9
Petty Criminal with Citations• Many of the conjectured attacks are time-consuming,
require specialised equipment and have uncertain pay-offs, with quite a high associated risk of detection (in terms of the payout not being available, even if not criminal).
• But if your end goal is getting a paper at CSF, you don’t care if the attack is economically viable: the paper is the pay-off, not any small monetary gain.
• This is the “petty criminal who cares about their publication history” fallacy: that you can make an uneconomic attack plausible by citation count.
10
Break at any cost• If you PhD depends on a particular vulnerability,
you will be willing to work at it until it’s usable.• However, criminals can just do other crimes in the
same time to make more money.• A vulnerability is competing will all other ways the
criminal can make the same or more money.• This is the “Breaking computers at any cost”
fallacy: that attackers cannot choose between cyber-crime and other forms of crime.
11
Deterrence by difficulty • It isn’t hard to break into those
little safes you get in hotels.
• They’re thirty quid, including VAT, retail. What do you expect?
• But all they have to do is make stealing your passport slightly harder, noisier and risky than some other crime.
• They are not proof against Robert de Niro as the uber-criminal in Heat, nor are they intended to be.
• But they raise the bar against light-fingered hotel staff.
12
?
Consider last week: “Krack” and WPA2
• In passing, note the trend of newly uncovered vulnerabilities having a logo and a website before they’re even announced.
• Academically, a fascinating attack: it shows that it’s vital when doing security proofs to define exactly what security properties you are proving things about• In the case of Krack, it doesn’t reveal keys, and it often
doesn’t permit full decryption.• The arrival of an attack on a “proven” protocol which is
both a real attack and does not invalidate the proofs is quite scary, long-term. #GladMyVivaIsNotNextWeek
• https://www.krackattacks.com
13
However…• It’s hard to see the real risks for moderately competent (not GCHQ,
just “taking sensible precautions”) users.• It requires an active attacker able to monitor and transmit radio
frames within reach of the victim’s machines, so it’s about targeted attacks, and requires equipment within 100m of the target.
• It does not provide any significant new means to attack https, or a VPN, and any other “end to end” encryption.
• Anyone with the means to launch the attack has better ways to achieve the same, or better, effect (“rogue AP”).
• You shouldn’t be trusting wireless networks anyway, particularly not ones you don’t control (“evil AP”).
• None of this nuance was present in media coverage.
14
Similarly Smartcards• Lost under the WPA2 attack last week was a potentially more
worrying attack on Infineon smart cards and TPMs.• A TPM is a small device fitted to most enterprise servers
and laptops which acts as a secure keystore, amongst other things.
• Details are rather technical, but in essence when generating random prime numbers, they do so badly enough that a crucial question for an attacker (“which two 350 digit prime numbers were multiplied together to makes this 700 digit composite?”) moves from impossible to relatively easy (still needs tens of thousands of pounds’ worth of CPU, though).
• https://crocs.fi.muni.cz/public/papers/rsa_ccs17
15
Lessons?• Both attacks are serious, documented by serious
people. They are definitely not trivial pieces of work. They are papers at a top conference, and with good cause.
• They have long-term implications both in their own terms, and for what they say about the way we analyse and verify systems.
• They probably (I stress probably) present very little additional risk to the typical business. Your defences against existing attacks probably defend you against these new attacks.
16
Meanwhile, in the real world• Real people are being taken for large amounts of
money by “these are our bank details, send your payment here” email scams.
• Require insider knowledge, probably gained by phishing and other penetration.
• Not obvious who is liable, but (for example) the SRA is taking a close look at it for solicitors which may make it your problem.• And of course SME are often the victim, too.
• £120 000 example this week: https://goo.gl/31edKi
17
High Tech?
• No. Probably carried out by phishing attack used to install enough software to interfere with sending of email. Similar frauds were being carried out by phone ten and more years ago.
• But devastating, nonetheless.
18
Defences• In the precise case of these payment frauds, “out of band”
confirmation of payment details.• When it’s my money, I confirm bank details over the phone.• The nature of the fraud means the “fake” email may be
“genuine” in the sense of being sent from the real originators’ computer.
• Why not put your bank details on your business card and hand it out when you first engage with a customer?
• Why not print “we will never use email to send bank details or changes to payment arrangements” on your letterhead?
• But what can we do to deter low-tech / high-impact attacks whose details we don’t as yet know about?
19
Raising the bar for attackers• Some controls require that we make full risk-
assessments that are difficult to do, particularly for SME, because of the potential to do more harm to the business than good.• Capital cost• Revenue cost (training, time, inconvenience)• Opportunity cost (do other things with the money)
• But some stuff is just basic “make sure your car is taxed and tested” stuff we should all be doing.
20
Raising the bar for attackers• Password managers • Two factor authentication • HTTP encryption everywhere • Disk encryption on everything • I’m assuming that “keep your software up to date”
doesn’t need saying, although the excuses people use for not patching are a shocking array of badness.
• I’m going to step away from “do I need a virus scanner?” as we don’t have all day.
21
Password managers• Password managers. • Passwords are over, we’re just sweeping up the wreckage.• Using a single-use random password unique to each website
reduces the risks of leaks. They still rubbish, but less rubbish.• NSCS/GCHQ advice is a good starting point.• Password overload means users simply cannot cope with
password “strength” guidance, password change, etc.• If it needs securing seriously, passwords aren’t good enough
(see 2FA). So passwords are only for low-value data.• https://www.ncsc.gov.uk/guidance/password-guidance-
simplifying-your-approach
22
How many can you remember? I have 534.
23
Why password managers?
• Permits different, strong passwords for each website
• Prevents failures of one web service contaminating all others used by same user
• (For the technical) Makes leakage of password hashes much less serious, as passwords cannot be brute-forced
24
Two factor authentication• Two factor authentication • Requires something you know (a
password) and something you have (a token of some sort, usually on a phone).• Usually a phone app, or an SMS
message containing a code.• Alternatives include Yubikey, Vasco,
RSA SecureID and so on• I insisted on it when my kids started
using Facebook and Twitter: 2FA tied to their phone.
• Use it for Google apps, gmail, Outlook, iCloud, Facebook, Twitter, Lastpass…
• Client and server: we should access services using 2FA, and we should offer services with 2FA.
25
Particularly email
26
Why two factor?
• Gets us away from relying on passwords• Even a strong attacker able to read all traffic cannot
log in a second time• Makes sharing of passwords between users much
harder (not impossible, but not practical long-term)• Makes compromise of machines much less serious
27
HTTP encryption everywhere
• If we are running a website, any website, whatever it is, it should be https with a correctly issued certificate.
• Unencrypted http is over, not just because of confidentiality, but because of integrity. There is no reason to not use https. • Letsencrypt certificates are free, others are less than a hundred quid.
Even wildcard certificates are cheap enough that you can buy them as an individual (I have *.batten.eu.org for my private machines).
• Makes it harder for attackers to fake your contact details, which is obviously useful to them.
• If you don’t know what you’re doing, get a third party you trust to host your website.• They days of getting your office manager’s GCSE student son to do it
are over.
28
Even trivial sites: https
29
Why https?• Removes reliance of reliability of WiFi and other
network access technologies• Makes it harder (not impossible) for attackers to
modify content• (For the technical) Mixed http/https (“just encrypt
login”) is a disaster, as attacker can divert to unencrypted version.
• (For the technical) Investigate HSTS, HSTS-preload and HPKP.
30
Disk encryption on everything
• It is easy to bypass passwords given ability to dismantle a machine.
• Recovering data from “broken” disks is also easy, but if they are “broken” it is harder to erase data.
• Very few people are willing to feed disk drives into chippers.
31
Easy on Mac, Easy on Windows
32
Why disk encryption?
• Reduces impact of loss of machines• Reduces problem of decommissioning and
disposal of old assets, particularly if they no longer work
• Wiping disks is hard, and hard to certify• There is no credible downside.
33
Better passwords, 2FA, https and disk encryption
• Makes a lot of current and possible attacks harder• Reduces need to trust networks.• Raises the bar for attackers so that they have to
work at their attacks.• Large enterprises are already doing this stuff,
hence the criminal focus switching to SME.• Instead of panicking about edge-case attacks,
improve fundamentals. And keep your software up to date, m’kay?
34
Conclusion
• Lots of noise from academia• Amplified by media• Main risks are lower-tech, with counter-measures
we can all put in place• Fix the fundamentals to keep out the majority of
attacks.
35